Talos Vulnerability Report

TALOS-2019-0829

MongoDB Server session reuse vulnerability

August 6, 2019

CVE Number

CVE-2019-2386

Summary

An exploitable authentication vulnerability exists in MongoDB Server prior to version 4.0.9. Access to a MongoDB database server can be persisted after user deletion by reusing an established session of said user.

Tested Versions

Product URLs

CVSSv3 Score

CWE

CWE-287 - Improper Authentication

Details

Generally, a MongoDB server's session can not be used anymore after the associated user is deleted.

The following behavior is present in MongoDB:

1. A session is established with a user.
2. Said user is deleted by an administrator.
3. Actions are attempted on the previously established session and fail.
4. The session is revoked, and is not reusable even if the user is recreated.

However, if there is no activity attempted on the session in step 3 above, and the user is recreated, the session can be reused.
This provides a possible mechanism for persisting access to a MongoDB server when administrators believe revocation has occurred.

There are two major requirements for exploitation of this bug:

1. Previous access to a user session.
2. An administrator recreating a the user corresponding to this session.

Exploit Proof of Concept

Simple and reliable exploitation is possible with any MongoDB client.

Here is an exploitation example using the mongo shell utility.

The example contains two shells: an admin and an attacker shell.

The commands are labelled with their shell and are given in chronological order.